Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-i386-kernel
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-kernel
found with Coverity Scan.
Defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)
** CID 1231861: Explicit null dereferenced (FORWARD_NULL)
/sys/netinet/tcp_usrreq.c: 1226 in tcp_disconnect1()
** CID 1231862: Out-of-bounds access (OVERRUN)
/sys/compat/ibcs2/ibcs2_stat.c: 313 in ibcs2_sys_utssys()
** CID 1231863: Dereference before null check (REVERSE_INULL)
/sys/kern/uipc_usrreq.c: 1316 in unp_disconnect1()
** CID 1231864: Dereference before null check (REVERSE_INULL)
/sys/netbt/hci_socket.c: 425 in hci_send_pcb()
________________________________________________________________________________________________________
*** CID 1231861: Explicit null dereferenced (FORWARD_NULL)
/sys/netinet/tcp_usrreq.c: 1226 in tcp_disconnect1()
1220 #endif
1221 else
1222 so = NULL;
1223
1224 if (TCPS_HAVEESTABLISHED(tp->t_state) == 0)
1225 tp = tcp_close(tp);
>>> CID 1231861: Explicit null dereferenced (FORWARD_NULL)
>>> Dereferencing null pointer "so".
1226 else if ((so->so_options & SO_LINGER) && so->so_linger == 0)
1227 tp = tcp_drop(tp, 0);
1228 else {
1229 soisdisconnecting(so);
1230 sbflush(&so->so_rcv);
1231 tp = tcp_usrclosed(tp);
________________________________________________________________________________________________________
*** CID 1231862: Out-of-bounds access (OVERRUN)
/sys/compat/ibcs2/ibcs2_stat.c: 313 in ibcs2_sys_utssys()
307 struct ibcs2_utsname sut;
308
309 memset(&sut, 0, ibcs2_utsname_len);
310 memcpy(sut.sysname, ostype, sizeof(sut.sysname) - 1);
311 memcpy(sut.nodename, hostname, sizeof(sut.nodename));
312 sut.nodename[sizeof(sut.nodename)-1] = '\0';
>>> CID 1231862: Out-of-bounds access (OVERRUN)
>>> Overrunning array "osrelease" of 7 bytes by passing it to a function
>>> which accesses it at byte offset 7 using argument "8U".
313 memcpy(sut.release, osrelease, sizeof(sut.release) - 1);
314 strlcpy(sut.version, "1", sizeof(sut.version));
315 memcpy(sut.machine, machine, sizeof(sut.machine) - 1);
316
317 return copyout((void *)&sut, (void *)SCARG(uap, a1),
318 ibcs2_utsname_len);
________________________________________________________________________________________________________
*** CID 1231863: Dereference before null check (REVERSE_INULL)
/sys/kern/uipc_usrreq.c: 1316 in unp_disconnect1()
1310 if (unp2->unp_refs == unp)
1311 unp2->unp_refs = unp->unp_nextref;
1312 else {
1313 unp2 = unp2->unp_refs;
1314 for (;;) {
1315 KASSERT(solocked2(so,
unp2->unp_socket));
>>> CID 1231863: Dereference before null check (REVERSE_INULL)
>>> Null-checking "unp2" suggests that it may be null, but it has already
>>> been dereferenced on all paths leading to the check.
1316 if (unp2 == 0)
1317 panic("unp_disconnect1");
1318 if (unp2->unp_nextref == unp)
1319 break;
1320 unp2 = unp2->unp_nextref;
1321 }
________________________________________________________________________________________________________
*** CID 1231864: Dereference before null check (REVERSE_INULL)
/sys/netbt/hci_socket.c: 425 in hci_send_pcb()
419
420 return 0;
421
422 bad:
423 DPRINTF("packet (%d bytes) not sent (error %d)\n",
424 m->m_pkthdr.len, err);
>>> CID 1231864: Dereference before null check (REVERSE_INULL)
>>> Null-checking "m" suggests that it may be null, but it has already been
>>> dereferenced on all paths leading to the check.
425 if (m) m_freem(m);
426 return err;
427 }
428
429 static int
430 hci_attach(struct socket *so, int proto)
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
http://scan.coverity.com/projects/1450?tab=overview
To unsubscribe from the email notification for new defects,
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home |
Main Index |
Thread Index |
Old Index